Re: [cas-user] LDAP authentication succeeded but CAS says it's not

Guillaume Chéramy Sat, 19 Sep 2015 19:39:06 -0700

Hello,

    I have exactly the same problem. See my precedent post "Aperao CAS
4.1.0-RC2 with LDAP backend : Invalid Credential"


Sincerely

Le 19/09/2015 15:29, Nicolás a écrit :
> Hi,
>
> I'm having some issue configuring LDAP authentication on CAS 4.1.0. I
> must say I had this configuration working on 4.0.4 but for some
> reason, even when successfully authenticating vs. LDAP, CAS says the
> credentials are not right.
>
> This is what I did:
>
> 1) deployerConfigContext.xml: Inside the authenticationManager bean,
> this is the map defined:
>    <constructor-arg>
>      <map>
>        <entry key-ref="proxyAuthenticationHandler"
> value-ref="proxyPrincipalResolver" />
>        <entry key-ref="ldapAuthenticationHandler" value="#{null}" />
>      </map>
>    </constructor-arg>
>
> 2) deployerConfigContext.xml: Copied and pasted the LDAP support
> direct bind
> (http://jasig.github.io/cas/4.1.x/installation/LDAP-Authentication.html#ldap-supporting-direct-bind)
> config, except that I removed the p:sslConfig-ref="sslConfig" part and
> the corresponding sslConfig bean, because I'm not using SSL over LDAP.
>
> 3) pom.xml: Added the corresponding dependency:
>    <dependency>
>      <groupId>org.jasig.cas</groupId>
>      <artifactId>cas-server-support-ldap</artifactId>
>      <version>${cas.version}</version>
>    </dependency>
>
> 4) cas.properties: I customized any needed properties, as I had it in
> my 4.0.4 working configuration.
>
> Now, I access /cas and authenticate, and CAS says the credentials are
> not right. I had a look at the authentication log and I found the
> binding be successfull as far as LDAP goes as you can see here:
>
>     Sep 19 14:07:15 machine slapd[22970]: conn=1004 op=1 BIND
>     anonymous mech=implicit ssf=0
>     Sep 19 14:07:15 machine slapd[22970]: conn=1004 op=1 BIND
>     dn="uid=myuser,cn=...,dc=...,dc=..." method=128
>     Sep 19 14:07:15 machine slapd[22970]: conn=1004 op=1 BIND
>     dn="uid=myuser,cn=...,dc=...,dc=..." mech=SIMPLE ssf=0
>     Sep 19 14:07:15 machine slapd[22970]: conn=1004 op=1 RESULT tag=97
>     err=0 text=
>
> I decide to activate the debugging as mentioned in the Troubleshooting
> page of the LDAP configuration, and I see the following:
>
>     2015-09-19 14:07:15,636 DEBUG [org.ldaptive.auth.FormatDnResolver]
>     - <Formatting DN for myuser with uid=%s,cn=...,dc=...,dc=...>
>     2015-09-19 14:07:15,637 DEBUG [org.ldaptive.auth.Authenticator] -
>     <authenticate dn=uid=myuser,cn=...,dc=...,dc=... with
>     request=[org.ldaptive.auth.AuthenticationRequest@954293603::user=myuser,
>     retAttrs=[1.1]]>
>     2015-09-19 14:07:15,637 DEBUG
>     [org.ldaptive.auth.PooledBindAuthenticationHandler] -
>     <authenticate
>     
> criteria=[org.ldaptive.auth.AuthenticationCriteria@1404709825::dn=uid=myuser,cn=...,dc=...,dc=...,
>     
> authenticationRequest=[org.ldaptive.auth.AuthenticationRequest@954293603::user=myuser,
>     retAttrs=[1.1]]]>
>     2015-09-19 14:07:15,639 DEBUG [org.ldaptive.BindOperation] -
>     <execute
>     
> request=[org.ldaptive.BindRequest@1670297304::bindDn=uid=myuser,cn=...,dc=...,dc=...,
>     saslConfig=null, controls=null] with
>     
> connection=[org.ldaptive.DefaultConnectionFactory$DefaultConnection@1313776513::config=[org.ldaptive.ConnectionConfig@257920952::ldapUrl=ldap://localhost,
>     connectTimeout=3000, responseTimeout=-1, sslConfig=null,
>     useSSL=false, useStartTLS=false, connectionInitializer=null],
>     
> providerConnectionFactory=[org.ldaptive.provider.jndi.JndiConnectionFactory@972029714::metadata=[ldapUrl=ldap://localhost,
>     count=1],
>     environment={java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory,
>     com.sun.jndi.ldap.connect.timeout=3000,
>     java.naming.ldap.version=3},
>     
> providerConfig=[org.ldaptive.provider.jndi.JndiProviderConfig@995300469::operationExceptionResultCodes=[PROTOCOL_ERROR,
>     SERVER_DOWN], properties={},
>     
> connectionStrategy=org.ldaptive.provider.ConnectionStrategies$DefaultConnectionStrategy@65f55fd2,
>     controlProcessor=org.ldaptive.provider.ControlProcessor@5ae33587,
>     environment=null, tracePackets=null, removeDnUrls=true,
>     searchIgnoreResultCodes=[TIME_LIMIT_EXCEEDED, SIZE_LIMIT_EXCEEDED,
>     PARTIAL_RESULTS], sslSocketFactory=null, hostnameVerifier=null]],
>     providerConnection=org.ldaptive.provider.jndi.JndiConnection@4b642bc0]>
>     2015-09-19 14:07:15,643 DEBUG [org.ldaptive.BindOperation] -
>     <execute response=[org.ldaptive.Response@1182007988::result=null,
>     resultCode=SUCCESS, message=null, matchedDn=null,
>     responseControls=null, referralURLs=null, messageId=-1] for
>     
> request=[org.ldaptive.BindRequest@1670297304::bindDn=uid=myuser,cn=...,dc=...,dc=...,
>     saslConfig=null, controls=null] with
>     
> connection=[org.ldaptive.DefaultConnectionFactory$DefaultConnection@1313776513::config=[org.ldaptive.ConnectionConfig@257920952::ldapUrl=ldap://localhost,
>     connectTimeout=3000, responseTimeout=-1, sslConfig=null,
>     useSSL=false, useStartTLS=false, connectionInitializer=null],
>     
> providerConnectionFactory=[org.ldaptive.provider.jndi.JndiConnectionFactory@972029714::metadata=[ldapUrl=ldap://localhost,
>     count=1],
>     environment={java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory,
>     com.sun.jndi.ldap.connect.timeout=3000,
>     java.naming.ldap.version=3},
>     
> providerConfig=[org.ldaptive.provider.jndi.JndiProviderConfig@995300469::operationExceptionResultCodes=[PROTOCOL_ERROR,
>     SERVER_DOWN], properties={},
>     
> connectionStrategy=org.ldaptive.provider.ConnectionStrategies$DefaultConnectionStrategy@65f55fd2,
>     controlProcessor=org.ldaptive.provider.ControlProcessor@5ae33587,
>     environment=null, tracePackets=null, removeDnUrls=true,
>     searchIgnoreResultCodes=[TIME_LIMIT_EXCEEDED, SIZE_LIMIT_EXCEEDED,
>     PARTIAL_RESULTS], sslSocketFactory=null, hostnameVerifier=null]],
>     providerConnection=org.ldaptive.provider.jndi.JndiConnection@4b642bc0]>
>     2015-09-19 14:07:15,645 DEBUG
>     [org.ldaptive.auth.PooledBindAuthenticationHandler] -
>     <authenticate
>     
> response=[org.ldaptive.auth.AuthenticationHandlerResponse@1784519566::connection=[org.ldaptive.Defa<authenticate
>     
> response=[org.ldaptive.auth.AuthenticationHandlerResponse@1784519566::connection=[org.ldaptive.DefaultConnectionFactory$DefaultConnection@1313776513::config=[org.ldaptive.ConnectionConfig@257920952::ldapUrl=ldap://localhost,
>     connectTimeout=3000, responseTimeout=-1, sslConfig=null,
>     useSSL=false, useStartTLS=false, connectionInitializer=null],
>     
> providerConnectionFactory=[org.ldaptive.provider.jndi.JndiConnectionFactory@972029714::metadata=[ldapUrl=ldap://localhost,
>     count=1],
>     environment={java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory,
>     com.sun.jndi.ldap.connect.timeout=3000,
>     java.naming.ldap.version=3},
>     
> providerConfig=[org.ldaptive.provider.jndi.JndiProviderConfig@995300469::operationExceptionResultCodes=[PROTOCOL_ERROR,
>     SERVER_DOWN], properties={},
>     
> connectionStrategy=org.ldaptive.provider.ConnectionStrategies$DefaultConnectionStrategy@65f55fd2,
>     controlProcessor=org.ldaptive.provider.ControlProcessor@5ae33587,
>     environment=null, tracePackets=null, removeDnUrls=true,
>     searchIgnoreResultCodes=[TIME_LIMIT_EXCEEDED, SIZE_LIMIT_EXCEEDED,
>     PARTIAL_RESULTS], sslSocketFactory=null, hostnameVerifier=null]],
>     providerConnection=org.ldaptive.provider.jndi.JndiConnection@4b642bc0],
>     result=true, resultCode=SUCCESS, message=null, controls=null] for
>     
> criteria=[org.ldaptive.auth.AuthenticationCriteria@1404709825::dn=uid=myuser,cn=...,dc=...,dc=...,
>     
> authenticationRequest=[org.ldaptive.auth.AuthenticationRequest@954293603::user=myuser,
>     retAttrs=[1.1]]]>
>     2015-09-19 14:07:15,660 INFO [org.ldaptive.auth.Authenticator] -
>     <Authentication succeeded for dn: uid=myuser,cn=...,dc=...,dc=...>
>     2015-09-19 14:07:15,662 DEBUG [org.ldaptive.auth.Authenticator] -
>     <authenticate
>     
> response=[org.ldaptive.auth.AuthenticationHandlerResponse@1784519566::connection=[org.ldaptive.DefaultConnectionFactory$DefaultConnection@1313776513::config=[org.ldaptive.ConnectionConfig@257920952::ldapUrl=ldap://localhost,
>     connectTimeout=3000, responseTimeout=-1, sslConfig=null,
>     useSSL=false, useStartTLS=false, connectionInitializer=null],
>     
> providerConnectionFactory=[org.ldaptive.provider.jndi.JndiConnectionFactory@972029714::metadata=[ldapUrl=ldap://localhost,
>     count=1],
>     environment={java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory,
>     com.sun.jndi.ldap.connect.timeout=3000,
>     java.naming.ldap.version=3},
>     
> providerConfig=[org.ldaptive.provider.jndi.JndiProviderConfig@995300469::operationExceptionResultCodes=[PROTOCOL_ERROR,
>     SERVER_DOWN], properties={},
>     
> connectionStrategy=org.ldaptive.provider.ConnectionStrategies$DefaultConnectionStrategy@65f55fd2,
>     controlProcessor=org.ldaptive.provider.ControlProcessor@5ae33587,
>     environment=null, tracePackets=null, removeDnUrls=true,
>     searchIgnoreResultCodes=[TIME_LIMIT_EXCEEDED, SIZE_LIMIT_EXCEEDED,
>     PARTIAL_RESULTS], sslSocketFactory=null, hostnameVerifier=null]],
>     providerConnection=org.ldaptive.provider.jndi.JndiConnection@4b642bc0],
>     result=true, resultCode=SUCCESS, message=null, controls=null] for
>     dn=uid=myuser,cn=...,dc=...,dc=... with
>     request=[org.ldaptive.auth.AuthenticationRequest@954293603::user=myuser,
>     retAttrs=[1.1]]>
>     2015-09-19 14:07:15,664 INFO
>     [org.jasig.cas.authentication.PolicyBasedAuthenticationManager] -
>     <LdapAuthenticationHandler failed authenticating myuser+password>
>     2015-09-19 14:07:15,665 INFO
>     [org.jasig.inspektr.audit.support.Slf4jLoggingAuditTrailManager] -
>     <Audit trail record BEGIN
>     =============================================================
>     WHO: myuser+password
>     WHAT: supplied credentials: [myuser+password]
>     ACTION: AUTHENTICATION_FAILED
>     APPLICATION: CAS
>     WHEN: Sat Sep 19 14:07:15 WEST 2015
>     CLIENT IP ADDRESS: 192.168.1.X
>     SERVER IP ADDRESS: 192.168.1.X
>     =============================================================
>
>     >
>     2015-09-19 14:07:15,667 INFO
>     [org.jasig.inspektr.audit.support.Slf4jLoggingAuditTrailManager] -
>     <Audit trail record BEGIN
>     =============================================================
>     WHO: myuser+password
>     WHAT: 1 errors, 0 successes
>     ACTION: TICKET_GRANTING_TICKET_NOT_CREATED
>     APPLICATION: CAS
>     WHEN: Sat Sep 19 14:07:15 WEST 2015
>     CLIENT IP ADDRESS: 192.168.1.X
>     SERVER IP ADDRESS: 192.168.1.X
>     =============================================================
>
>
> So if CAS says that the authentication succeeded at first, why
> LdapAuthenticationHandler fails? Any hint will be very appreciated
> since I'm a bit lost right now.
>
> Thanks,
>
> Nicolás
> -- 
> You are currently subscribed to [email protected] as: 
> [email protected]
> To unsubscribe, change settings or access archives, see 
> http://www.ja-sig.org/wiki/display/JSG/cas-user


-- 
You are currently subscribed to [email protected] as: 
[email protected]
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

Re: [cas-user] LDAP authentication succeeded but CAS says it's not

Reply via email to